| Summary: | [Update Request]Update boost package to fix CVE-2013-0252 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Funda Wang <fundawang> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, luigiwalser, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/538848/ | ||
| Whiteboard: | has_procedure mga2-64-ok MGA2-32OK | ||
| Source RPM: | boost-1.48.0-9.2.mga2 | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 9114 | ||
|
Description
Funda Wang
2013-02-20 05:42:26 CET
SRPM: boost-1.48.0-9.2.mga2.src.rpm ----------------------------------- boost-devel-doc boost-examples lib64boost_chrono1.48.0 lib64boost_date_time1.48.0 lib64boost-devel lib64boost_filesystem1.48.0 lib64boost_graph1.48.0 lib64boost_iostreams1.48.0 lib64boost_locale1.48.0 lib64boost_math1.48.0 lib64boost_prg_exec_monitor1.48.0 lib64boost_program_options1.48.0 lib64boost_python1.48.0 lib64boost_random1.48.0 lib64boost_regex1.48.0 lib64boost_serialization1.48.0 lib64boost_signals1.48.0 lib64boost-static-devel lib64boost_system1.48.0 lib64boost_thread1.48.0 lib64boost_timer1.48.0 lib64boost_unit_test_framework1.48.0 lib64boost_wave1.48.0 lib64boost_wserialization1.48.0 Testing mga2 64
Before
------
Confirmed it is vulnerable
Saved the PoC as 9127.cpp
Edited it to put each #include on a separate line
Installed lib64boost-devel
$ g++ 9127.cpp -o 9127
$ ./9127
$
Shows no output. It should cause an exception and show an error.
After
-----
Confirmed there is nothing using the library which would need rebuilding
$ urpmq --whatrequires lib64boost_locale1.48.0
lib64boost-devel
lib64boost_locale1.48.0
$ rm -f 9127
$ g++ 9127.cpp -o 9127
$ ./9127
Source string contains illegal UTF-8 byte sequences
$
Tested with a few applications from..
$ urpmq --whatrequires $(rpm -qa --qf '%{NAME}\n' | grep boost | tr "\n" " ")
No regressions noticed.Whiteboard:
(none) =>
has_procedure mga2-64-ok Ignore the rebuilding bit, it wasn't necessary. This also needs fixed in Cauldron, but it's in progress by Shlomi and Barry. It's fixed upstream in 1.53.0, and I think they have all dependent packages rebuilding successfully except for one. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0252 http://www.boost.org/users/news/boost_locale_security_notice.html http://www.ubuntu.com/usn/usn-1727-1/ URL:
http://www.boost.org/users/news/boost_locale_security_notice.html =>
http://lwn.net/Vulnerabilities/538848/ Thanks for the procedure Claire. Testing complete on Mageia 2 i586. Could someone from the sysadmin team push the srpm boost-1.48.0-9.2.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Boost.Locale library in Boost 1.48 to 1.52 including has a security flaw (CVE-2013-0252): boost::locale::utf::utf_traits accepted some invalid UTF-8 sequences. Applications that used these functions for UTF-8 input validation could expose themselves to security threats as invalid UTF-8 sequece would be considered as valid. The package has been patched to fix above security flaw. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0252 http://www.boost.org/users/news/boost_locale_security_notice.html http://www.ubuntu.com/usn/usn-1727-1/ https://bugs.mageia.org/show_bug.cgi?id=9127 Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0061 Status:
NEW =>
RESOLVED |